@lucern/sdk 0.2.0-alpha.6 → 0.2.0-alpha.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (206) hide show
  1. package/.turbo/turbo-build.log +7 -0
  2. package/.turbo/turbo-typecheck.log +4 -0
  3. package/CHANGELOG.md +13 -0
  4. package/examples/README.md +69 -0
  5. package/examples/contradiction.ts +94 -0
  6. package/examples/investigation-context.ts +118 -0
  7. package/examples/questions-and-tasks.ts +55 -0
  8. package/examples/quickstart.ts +97 -0
  9. package/examples/shared.ts +318 -0
  10. package/examples/strict-public-types.ts +143 -0
  11. package/examples/worktree-lifecycle.ts +79 -0
  12. package/package.json +16 -58
  13. package/src/README.md +6 -0
  14. package/src/adminClient.ts +789 -0
  15. package/{dist/lib/platform/sdk/answersClient.d.ts → src/answersClient.ts} +17 -4
  16. package/src/audiencesClient.ts +209 -0
  17. package/src/auditClient.ts +50 -0
  18. package/src/beliefsClient.ts +319 -0
  19. package/src/client.ts +2647 -0
  20. package/src/contextClient.ts +130 -0
  21. package/{dist/lib/platform/sdk/contextFacade.d.ts → src/contextFacade.ts} +6 -1
  22. package/src/contextPackCompiler.ts +828 -0
  23. package/src/contextPackSchema.ts +251 -0
  24. package/src/contextTypes.ts +153 -0
  25. package/src/contracts/api-enums.contract.ts +202 -0
  26. package/src/contracts/auth-session.contract.ts +109 -0
  27. package/src/contracts/context-pack.contract.ts +700 -0
  28. package/src/contracts/contextPack.ts +1 -0
  29. package/src/contracts/index.ts +10 -0
  30. package/src/contracts/lens-filter.contract.ts +183 -0
  31. package/src/contracts/lens-workflow.contract.ts +162 -0
  32. package/src/contracts/lensFilter.ts +1 -0
  33. package/src/contracts/lensWorkflow.ts +1 -0
  34. package/src/contracts/mcp-tools.contract.ts +3636 -0
  35. package/src/contracts/mcpTools.ts +1 -0
  36. package/src/contracts/prompt.contract.ts +50 -0
  37. package/src/contracts/prompt.ts +1 -0
  38. package/src/contracts/sdk-tools.contract.ts +1457 -0
  39. package/src/contracts/sdkTools.ts +1 -0
  40. package/src/contracts/workflow-runtime.contract.ts +440 -0
  41. package/src/contracts/workflowRuntime.ts +1 -0
  42. package/src/controlObjectOwnership.ts +286 -0
  43. package/src/coreClient.ts +570 -0
  44. package/src/customTools.ts +398 -0
  45. package/src/decisionsClient.ts +286 -0
  46. package/src/domainContext.ts +15 -0
  47. package/src/events.ts +531 -0
  48. package/src/eventsCore.ts +168 -0
  49. package/src/facade/beliefs.ts +83 -0
  50. package/src/facade/context.ts +110 -0
  51. package/src/facade/contradictions.ts +29 -0
  52. package/src/facade/edges.ts +30 -0
  53. package/src/facade/events.ts +23 -0
  54. package/src/facade/evidence.ts +41 -0
  55. package/src/facade/graph.ts +38 -0
  56. package/src/facade/identity.ts +16 -0
  57. package/src/facade/ontologies.ts +34 -0
  58. package/src/facade/questions.ts +59 -0
  59. package/src/facade/search.ts +16 -0
  60. package/src/facade/tasks.ts +37 -0
  61. package/src/facade/topics.ts +42 -0
  62. package/src/facade/webhooks.ts +58 -0
  63. package/src/facade/worktrees.ts +51 -0
  64. package/src/gatewayFacades.ts +1666 -0
  65. package/src/graphClient.ts +529 -0
  66. package/src/harnessClient.ts +585 -0
  67. package/src/identityClient.ts +278 -0
  68. package/src/learningClient.ts +95 -0
  69. package/src/mcpParityClient.ts +240 -0
  70. package/src/mcpParitySurface.ts +70 -0
  71. package/src/ontologyClient.ts +275 -0
  72. package/src/packRuntime.ts +3 -0
  73. package/src/packsClient.ts +260 -0
  74. package/src/policyClient.ts +572 -0
  75. package/src/realtime/index.ts +51 -0
  76. package/src/realtime/refs.ts +17 -0
  77. package/src/reportsClient.ts +99 -0
  78. package/src/schemaClient.ts +129 -0
  79. package/src/sdkSurface.ts +190 -0
  80. package/src/topicsClient.ts +243 -0
  81. package/src/types.ts +807 -0
  82. package/src/workflowClient.ts +826 -0
  83. package/tsconfig.json +9 -0
  84. package/dist/.generated +0 -2
  85. package/dist/index.d.ts +0 -3
  86. package/dist/index.js +0 -3
  87. package/dist/lib/platform/auth/credentials.d.ts +0 -5
  88. package/dist/lib/platform/auth/credentials.js +0 -40
  89. package/dist/lib/platform/sdk/adminClient.d.ts +0 -404
  90. package/dist/lib/platform/sdk/adminClient.js +0 -384
  91. package/dist/lib/platform/sdk/answersClient.js +0 -21
  92. package/dist/lib/platform/sdk/audiencesClient.d.ts +0 -93
  93. package/dist/lib/platform/sdk/audiencesClient.js +0 -111
  94. package/dist/lib/platform/sdk/auditClient.d.ts +0 -24
  95. package/dist/lib/platform/sdk/auditClient.js +0 -21
  96. package/dist/lib/platform/sdk/beliefsClient.d.ts +0 -157
  97. package/dist/lib/platform/sdk/beliefsClient.js +0 -124
  98. package/dist/lib/platform/sdk/client.d.ts +0 -2369
  99. package/dist/lib/platform/sdk/client.js +0 -1831
  100. package/dist/lib/platform/sdk/contextClient.d.ts +0 -21
  101. package/dist/lib/platform/sdk/contextClient.js +0 -86
  102. package/dist/lib/platform/sdk/contextFacade.js +0 -10
  103. package/dist/lib/platform/sdk/contextPackCompiler.d.ts +0 -100
  104. package/dist/lib/platform/sdk/contextPackCompiler.js +0 -534
  105. package/dist/lib/platform/sdk/contextTypes.d.ts +0 -133
  106. package/dist/lib/platform/sdk/contextTypes.js +0 -1
  107. package/dist/lib/platform/sdk/controlObjectOwnership.d.ts +0 -308
  108. package/dist/lib/platform/sdk/controlObjectOwnership.js +0 -220
  109. package/dist/lib/platform/sdk/coreClient.d.ts +0 -139
  110. package/dist/lib/platform/sdk/coreClient.js +0 -366
  111. package/dist/lib/platform/sdk/customTools.d.ts +0 -83
  112. package/dist/lib/platform/sdk/customTools.js +0 -247
  113. package/dist/lib/platform/sdk/decisionsClient.d.ts +0 -106
  114. package/dist/lib/platform/sdk/decisionsClient.js +0 -129
  115. package/dist/lib/platform/sdk/domainContext.d.ts +0 -1
  116. package/dist/lib/platform/sdk/domainContext.js +0 -1
  117. package/dist/lib/platform/sdk/events.d.ts +0 -176
  118. package/dist/lib/platform/sdk/events.js +0 -261
  119. package/dist/lib/platform/sdk/eventsCore.d.ts +0 -13
  120. package/dist/lib/platform/sdk/eventsCore.js +0 -13
  121. package/dist/lib/platform/sdk/gatewayFacades.d.ts +0 -586
  122. package/dist/lib/platform/sdk/gatewayFacades.js +0 -845
  123. package/dist/lib/platform/sdk/graphClient.d.ts +0 -266
  124. package/dist/lib/platform/sdk/graphClient.js +0 -235
  125. package/dist/lib/platform/sdk/harnessClient.d.ts +0 -309
  126. package/dist/lib/platform/sdk/harnessClient.js +0 -219
  127. package/dist/lib/platform/sdk/identityClient.d.ts +0 -134
  128. package/dist/lib/platform/sdk/identityClient.js +0 -131
  129. package/dist/lib/platform/sdk/index.js +0 -49
  130. package/dist/lib/platform/sdk/learningClient.d.ts +0 -40
  131. package/dist/lib/platform/sdk/learningClient.js +0 -53
  132. package/dist/lib/platform/sdk/mcpParityClient.d.ts +0 -69
  133. package/dist/lib/platform/sdk/mcpParityClient.js +0 -196
  134. package/dist/lib/platform/sdk/mcpParitySurface.d.ts +0 -10
  135. package/dist/lib/platform/sdk/mcpParitySurface.js +0 -57
  136. package/dist/lib/platform/sdk/ontologyClient.d.ts +0 -131
  137. package/dist/lib/platform/sdk/ontologyClient.js +0 -161
  138. package/dist/lib/platform/sdk/packRuntime.d.ts +0 -1
  139. package/dist/lib/platform/sdk/packRuntime.js +0 -1
  140. package/dist/lib/platform/sdk/packsClient.d.ts +0 -126
  141. package/dist/lib/platform/sdk/packsClient.js +0 -157
  142. package/dist/lib/platform/sdk/policyClient.d.ts +0 -293
  143. package/dist/lib/platform/sdk/policyClient.js +0 -277
  144. package/dist/lib/platform/sdk/promptCatalog.js +0 -1
  145. package/dist/lib/platform/sdk/reportsClient.d.ts +0 -34
  146. package/dist/lib/platform/sdk/reportsClient.js +0 -64
  147. package/dist/lib/platform/sdk/schemaClient.d.ts +0 -59
  148. package/dist/lib/platform/sdk/schemaClient.js +0 -71
  149. package/dist/lib/platform/sdk/sdkSurface.d.ts +0 -56
  150. package/dist/lib/platform/sdk/sdkSurface.js +0 -140
  151. package/dist/lib/platform/sdk/topicsClient.d.ts +0 -78
  152. package/dist/lib/platform/sdk/topicsClient.js +0 -118
  153. package/dist/lib/platform/sdk/types.d.ts +0 -692
  154. package/dist/lib/platform/sdk/types.js +0 -1
  155. package/dist/lib/platform/sdk/version.d.ts +0 -2
  156. package/dist/lib/platform/sdk/workflowClient.d.ts +0 -313
  157. package/dist/lib/platform/sdk/workflowClient.js +0 -366
  158. package/dist/lucern/contracts/src/api-enums.contract.d.ts +0 -58
  159. package/dist/lucern/contracts/src/api-enums.contract.js +0 -147
  160. package/dist/lucern/contracts/src/auth-context.contract.d.ts +0 -8
  161. package/dist/lucern/contracts/src/auth-context.contract.js +0 -8
  162. package/dist/lucern/contracts/src/auth-session.contract.d.ts +0 -8
  163. package/dist/lucern/contracts/src/auth-session.contract.js +0 -8
  164. package/dist/lucern/contracts/src/auth.contract.d.ts +0 -88
  165. package/dist/lucern/contracts/src/auth.contract.js +0 -57
  166. package/dist/lucern/contracts/src/context-pack.contract.d.ts +0 -494
  167. package/dist/lucern/contracts/src/context-pack.contract.js +0 -169
  168. package/dist/lucern/contracts/src/convex-admin.contract.d.ts +0 -5
  169. package/dist/lucern/contracts/src/convex-admin.contract.js +0 -1
  170. package/dist/lucern/contracts/src/events-types.contract.d.ts +0 -8
  171. package/dist/lucern/contracts/src/events-types.contract.js +0 -8
  172. package/dist/lucern/contracts/src/events.contract.d.ts +0 -176
  173. package/dist/lucern/contracts/src/events.contract.js +0 -159
  174. package/dist/lucern/contracts/src/gateway.contract.d.ts +0 -74
  175. package/dist/lucern/contracts/src/gateway.contract.js +0 -19
  176. package/dist/lucern/contracts/src/ids.contract.d.ts +0 -7
  177. package/dist/lucern/contracts/src/ids.contract.js +0 -24
  178. package/dist/lucern/contracts/src/index.d.ts +0 -29
  179. package/dist/lucern/contracts/src/index.js +0 -29
  180. package/dist/lucern/contracts/src/lens-filter.contract.d.ts +0 -70
  181. package/dist/lucern/contracts/src/lens-filter.contract.js +0 -95
  182. package/dist/lucern/contracts/src/lens-workflow.contract.d.ts +0 -84
  183. package/dist/lucern/contracts/src/lens-workflow.contract.js +0 -54
  184. package/dist/lucern/contracts/src/mcp-tools.contract.d.ts +0 -151
  185. package/dist/lucern/contracts/src/mcp-tools.contract.js +0 -3281
  186. package/dist/lucern/contracts/src/ontology-matching.contract.d.ts +0 -8
  187. package/dist/lucern/contracts/src/ontology-matching.contract.js +0 -8
  188. package/dist/lucern/contracts/src/prompt.contract.d.ts +0 -24
  189. package/dist/lucern/contracts/src/prompt.contract.js +0 -24
  190. package/dist/lucern/contracts/src/sdk-methods.contract.d.ts +0 -358
  191. package/dist/lucern/contracts/src/sdk-methods.contract.js +0 -19
  192. package/dist/lucern/contracts/src/sdk-tools.contract.d.ts +0 -92
  193. package/dist/lucern/contracts/src/sdk-tools.contract.js +0 -1398
  194. package/dist/lucern/contracts/src/text-matching.contract.d.ts +0 -53
  195. package/dist/lucern/contracts/src/text-matching.contract.js +0 -277
  196. package/dist/lucern/contracts/src/topic-scope.contract.d.ts +0 -8
  197. package/dist/lucern/contracts/src/topic-scope.contract.js +0 -8
  198. package/dist/lucern/contracts/src/workflow-runtime.contract.d.ts +0 -161
  199. package/dist/lucern/contracts/src/workflow-runtime.contract.js +0 -257
  200. package/dist/realtime-refs.d.ts +0 -1
  201. package/dist/realtime-refs.js +0 -1
  202. package/dist/realtime.d.ts +0 -1
  203. package/dist/realtime.js +0 -1
  204. /package/{dist/lib/platform/sdk/index.d.ts → src/index.ts} +0 -0
  205. /package/{dist/lib/platform/sdk/promptCatalog.d.ts → src/promptCatalog.ts} +0 -0
  206. /package/{dist/lib/platform/sdk/version.js → src/version.ts} +0 -0
@@ -0,0 +1,572 @@
1
+ import {
2
+ createGatewayRequestClient,
3
+ type GatewayClientConfig,
4
+ type GatewayScope,
5
+ LucernApiError,
6
+ randomIdempotencyKey,
7
+ toQueryString,
8
+ } from "./coreClient";
9
+ import { createListResult, mapGatewayData } from "./sdkSurface";
10
+
11
+ export { LucernApiError };
12
+ export type { GatewayScope, PlatformGatewaySuccess } from "./coreClient";
13
+
14
+ /** Configuration for the policy client. */
15
+ export type PolicyClientConfig = GatewayClientConfig;
16
+
17
+ /** Permission direction: read access or write access. */
18
+ export type PermissionKind = "read" | "write";
19
+
20
+ /** Permission level for a write policy rule. */
21
+ export type WritePolicyPermission = "allow" | "deny" | "review_required";
22
+
23
+ type TopicRecord = {
24
+ topicId?: string;
25
+ name?: string;
26
+ type?: string;
27
+ isOwner?: boolean;
28
+ [key: string]: unknown;
29
+ };
30
+
31
+ /** Structured explanation of how a policy decision was derived. */
32
+ export type PolicyDecisionExplanation = {
33
+ summary?: string;
34
+ matchedReasonCode?: string;
35
+ steps?: Array<{
36
+ stage?: string;
37
+ outcome?: string;
38
+ reasonCode?: string;
39
+ detail?: string;
40
+ }>;
41
+ [key: string]: unknown;
42
+ };
43
+
44
+ /** Result of a permission check against the policy engine. */
45
+ export type PermissionDecision = {
46
+ allowed?: boolean;
47
+ decision?: string;
48
+ reasonCode?: string;
49
+ principalId?: string;
50
+ topicId?: string;
51
+ permission?: string;
52
+ policyVersion?: string;
53
+ traceId?: string | null;
54
+ explanation?: PolicyDecisionExplanation;
55
+ };
56
+
57
+ /** A persisted write policy rule controlling mutation access. */
58
+ export type WritePolicyRecord = {
59
+ id?: string;
60
+ topicId?: string;
61
+ role?: string;
62
+ toolCategory?: string;
63
+ permission?: WritePolicyPermission;
64
+ maxWritesPerSession?: number;
65
+ enabled?: boolean;
66
+ rationale?: string;
67
+ createdAt?: number;
68
+ updatedAt?: number;
69
+ createdBy?: string;
70
+ resolution?: string;
71
+ [key: string]: unknown;
72
+ };
73
+
74
+ /** Input for creating a write policy rule. */
75
+ export type WritePolicyCreateInput = GatewayScope & {
76
+ topicId?: string;
77
+ role: string;
78
+ toolCategory: string;
79
+ permission: WritePolicyPermission;
80
+ maxWritesPerSession?: number;
81
+ enabled?: boolean;
82
+ rationale?: string;
83
+ createdBy?: string;
84
+ };
85
+
86
+ /** Input for partially updating an existing write policy rule. */
87
+ export type WritePolicyUpdateInput = GatewayScope & {
88
+ topicId?: string;
89
+ clearTopicId?: boolean;
90
+ role?: string;
91
+ toolCategory?: string;
92
+ permission?: WritePolicyPermission;
93
+ maxWritesPerSession?: number;
94
+ clearMaxWritesPerSession?: boolean;
95
+ enabled?: boolean;
96
+ rationale?: string;
97
+ clearRationale?: boolean;
98
+ };
99
+
100
+ export type TenantPolicyPermission = {
101
+ resource: string;
102
+ actions: string[];
103
+ };
104
+
105
+ export type TenantPolicyRecord = {
106
+ id?: string;
107
+ tenantId: string;
108
+ workspaceId?: string;
109
+ roleName: string;
110
+ description?: string;
111
+ permissions: TenantPolicyPermission[];
112
+ groupBindings: string[];
113
+ createdAt?: number;
114
+ updatedAt?: number;
115
+ createdBy?: string;
116
+ updatedBy?: string;
117
+ };
118
+
119
+ type AccessibleTopicsResponse = {
120
+ permission: PermissionKind;
121
+ topics: TopicRecord[];
122
+ total: number;
123
+ deniedTopics: Array<{
124
+ topicId: string;
125
+ reasonCode: string;
126
+ }>;
127
+ };
128
+
129
+ type FilterByPermissionResponse = {
130
+ permission: PermissionKind;
131
+ allowedTopicIds: string[];
132
+ deniedTopics: Array<{
133
+ topicId: string;
134
+ reasonCode: string;
135
+ }>;
136
+ count: number;
137
+ };
138
+
139
+ function asTopicArray(data: unknown): TopicRecord[] {
140
+ if (Array.isArray(data)) {
141
+ return data.filter(
142
+ (row): row is TopicRecord => Boolean(row) && typeof row === "object"
143
+ );
144
+ }
145
+ return [];
146
+ }
147
+
148
+ function asWritePolicyRecord(data: unknown): WritePolicyRecord | null {
149
+ if (!data || typeof data !== "object") {
150
+ return null;
151
+ }
152
+ return data as WritePolicyRecord;
153
+ }
154
+
155
+ function asWritePolicyArray(data: unknown): WritePolicyRecord[] {
156
+ if (!Array.isArray(data)) {
157
+ return [];
158
+ }
159
+ return data
160
+ .map(asWritePolicyRecord)
161
+ .filter((row): row is WritePolicyRecord => Boolean(row));
162
+ }
163
+
164
+ function asRolePolicyRecord(data: unknown): TenantPolicyRecord | null {
165
+ if (!data || typeof data !== "object") {
166
+ return null;
167
+ }
168
+ return data as TenantPolicyRecord;
169
+ }
170
+
171
+ function asRolePolicyArray(data: unknown): TenantPolicyRecord[] {
172
+ if (!Array.isArray(data)) {
173
+ return [];
174
+ }
175
+ return data
176
+ .map(asRolePolicyRecord)
177
+ .filter((row): row is TenantPolicyRecord => Boolean(row));
178
+ }
179
+
180
+ /**
181
+ * Create the policy client for permission checks, grants, and write policies.
182
+ * @param config - Gateway transport configuration.
183
+ * @returns An object with methods to check permissions, manage grants, and manage write policies.
184
+ */
185
+ export function createPolicyClient(config: PolicyClientConfig = {}) {
186
+ const gateway = createGatewayRequestClient(config);
187
+
188
+ return {
189
+ /**
190
+ * List policy decisions in the current scope.
191
+ */
192
+ async listDecisions(
193
+ query: GatewayScope & {
194
+ action?: string;
195
+ decision?: string;
196
+ traceId?: string;
197
+ principalId?: string;
198
+ topicId?: string;
199
+ limit?: number;
200
+ } = {}
201
+ ) {
202
+ return gateway.request<unknown>({
203
+ path: `/api/platform/v1/policy/decisions${toQueryString(query)}`,
204
+ }).then((response) =>
205
+ mapGatewayData(response, (data) =>
206
+ createListResult(Array.isArray(data) ? data : [], "decisions")
207
+ )
208
+ );
209
+ },
210
+
211
+ /**
212
+ * Create a permission grant.
213
+ */
214
+ async grant(
215
+ input: GatewayScope & {
216
+ topicId: string;
217
+ permission: PermissionKind;
218
+ principal?: string;
219
+ principalId?: string;
220
+ groupId?: string;
221
+ beliefClusterId?: string;
222
+ expiresAt?: number;
223
+ },
224
+ idempotencyKey?: string
225
+ ) {
226
+ return gateway.request<unknown>({
227
+ path: "/api/platform/v1/policy/grant",
228
+ method: "POST",
229
+ body: input,
230
+ idempotencyKey: idempotencyKey ?? randomIdempotencyKey(),
231
+ });
232
+ },
233
+
234
+ /**
235
+ * Delete a permission grant by revoking it.
236
+ */
237
+ async revoke(
238
+ input: GatewayScope & {
239
+ topicId: string;
240
+ principal?: string;
241
+ principalId?: string;
242
+ groupId?: string;
243
+ beliefClusterId?: string;
244
+ },
245
+ idempotencyKey?: string
246
+ ) {
247
+ return gateway.request<unknown>({
248
+ path: "/api/platform/v1/policy/revoke",
249
+ method: "POST",
250
+ body: input,
251
+ idempotencyKey: idempotencyKey ?? randomIdempotencyKey(),
252
+ });
253
+ },
254
+
255
+ /**
256
+ * List write policy rules for the current scope.
257
+ */
258
+ async listWritePolicies(
259
+ query: GatewayScope & {
260
+ topicId?: string;
261
+ role?: string;
262
+ toolCategory?: string;
263
+ enabled?: boolean;
264
+ } = {}
265
+ ) {
266
+ const response = await gateway.request<{ policies?: unknown[] }>({
267
+ path: `/api/platform/v1/policy/write-policies${toQueryString(query)}`,
268
+ });
269
+ const rawPolicies =
270
+ response.data && typeof response.data === "object"
271
+ ? (response.data as { policies?: unknown[] }).policies
272
+ : response.data;
273
+
274
+ return {
275
+ ...response,
276
+ data: {
277
+ policies: asWritePolicyArray(rawPolicies),
278
+ },
279
+ };
280
+ },
281
+
282
+ /**
283
+ * Create a write policy rule.
284
+ */
285
+ async createWritePolicy(
286
+ input: WritePolicyCreateInput,
287
+ idempotencyKey?: string
288
+ ) {
289
+ const response = await gateway.request<{
290
+ id?: string;
291
+ created?: boolean;
292
+ policy?: unknown;
293
+ }>({
294
+ path: "/api/platform/v1/policy/write-policies",
295
+ method: "POST",
296
+ body: input,
297
+ idempotencyKey: idempotencyKey ?? randomIdempotencyKey(),
298
+ });
299
+
300
+ return {
301
+ ...response,
302
+ data: {
303
+ id:
304
+ typeof response.data?.id === "string" ? response.data.id : undefined,
305
+ created: response.data?.created === true,
306
+ policy: asWritePolicyRecord(response.data?.policy),
307
+ },
308
+ };
309
+ },
310
+
311
+ /**
312
+ * Update an existing write policy rule by identifier.
313
+ */
314
+ async updateWritePolicy(
315
+ id: string,
316
+ input: WritePolicyUpdateInput,
317
+ idempotencyKey?: string
318
+ ) {
319
+ const response = await gateway.request<{
320
+ id?: string;
321
+ updated?: boolean;
322
+ policy?: unknown;
323
+ }>({
324
+ path: `/api/platform/v1/policy/write-policies/${encodeURIComponent(id)}`,
325
+ method: "PATCH",
326
+ body: input,
327
+ idempotencyKey: idempotencyKey ?? randomIdempotencyKey(),
328
+ });
329
+
330
+ return {
331
+ ...response,
332
+ data: {
333
+ id:
334
+ typeof response.data?.id === "string" ? response.data.id : undefined,
335
+ updated: response.data?.updated === true,
336
+ policy: asWritePolicyRecord(response.data?.policy),
337
+ },
338
+ };
339
+ },
340
+
341
+ /**
342
+ * Delete a write policy rule by identifier.
343
+ */
344
+ async deleteWritePolicy(
345
+ id: string,
346
+ scope: GatewayScope = {},
347
+ idempotencyKey?: string
348
+ ) {
349
+ return gateway.request<{ id?: string; deleted?: boolean }>({
350
+ path: `/api/platform/v1/policy/write-policies/${encodeURIComponent(
351
+ id
352
+ )}${toQueryString(scope)}`,
353
+ method: "DELETE",
354
+ idempotencyKey: idempotencyKey ?? randomIdempotencyKey(),
355
+ });
356
+ },
357
+
358
+ /**
359
+ * List tenant role policies for the current scope.
360
+ */
361
+ async listRolePolicies(query: GatewayScope = {}) {
362
+ const response = await gateway.request<{ policies?: unknown[] }>({
363
+ path: `/api/platform/v1/policy/roles${toQueryString(query)}`,
364
+ });
365
+
366
+ return {
367
+ ...response,
368
+ data: {
369
+ policies: asRolePolicyArray(response.data?.policies),
370
+ },
371
+ };
372
+ },
373
+
374
+ /**
375
+ * Create a tenant role policy.
376
+ */
377
+ async createRolePolicy(
378
+ input: GatewayScope & {
379
+ roleName: string;
380
+ description?: string;
381
+ permissions: TenantPolicyPermission[];
382
+ groupBindings?: string[];
383
+ },
384
+ idempotencyKey?: string
385
+ ) {
386
+ const response = await gateway.request<{ policy?: unknown }>({
387
+ path: "/api/platform/v1/policy/roles",
388
+ method: "POST",
389
+ body: input,
390
+ idempotencyKey: idempotencyKey ?? randomIdempotencyKey(),
391
+ });
392
+
393
+ return {
394
+ ...response,
395
+ data: {
396
+ policy: asRolePolicyRecord(response.data?.policy),
397
+ },
398
+ };
399
+ },
400
+
401
+ /**
402
+ * Update a tenant role policy by identifier.
403
+ */
404
+ async updateRolePolicy(
405
+ id: string,
406
+ input: GatewayScope & {
407
+ roleName: string;
408
+ description?: string;
409
+ permissions: TenantPolicyPermission[];
410
+ groupBindings?: string[];
411
+ },
412
+ idempotencyKey?: string
413
+ ) {
414
+ const response = await gateway.request<{ policy?: unknown }>({
415
+ path: `/api/platform/v1/policy/roles/${encodeURIComponent(id)}`,
416
+ method: "PATCH",
417
+ body: input,
418
+ idempotencyKey: idempotencyKey ?? randomIdempotencyKey(),
419
+ });
420
+
421
+ return {
422
+ ...response,
423
+ data: {
424
+ policy: asRolePolicyRecord(response.data?.policy),
425
+ },
426
+ };
427
+ },
428
+
429
+ /**
430
+ * Delete a tenant role policy by identifier.
431
+ */
432
+ async deleteRolePolicy(
433
+ id: string,
434
+ scope: GatewayScope = {},
435
+ idempotencyKey?: string
436
+ ) {
437
+ return gateway.request<unknown>({
438
+ path: `/api/platform/v1/policy/roles/${encodeURIComponent(id)}${toQueryString(
439
+ scope
440
+ )}`,
441
+ method: "DELETE",
442
+ idempotencyKey: idempotencyKey ?? randomIdempotencyKey(),
443
+ });
444
+ },
445
+
446
+ /**
447
+ * Check a permission decision for a topic or project scope.
448
+ */
449
+ async checkPermission(
450
+ query: GatewayScope & {
451
+ topicId?: string;
452
+ permission?: PermissionKind;
453
+ principal?: string;
454
+ principalId?: string;
455
+ beliefClusterId?: string;
456
+ }
457
+ ) {
458
+ if (!query.topicId) {
459
+ throw new Error("topicId is required");
460
+ }
461
+ return gateway.request<PermissionDecision>({
462
+ path: `/api/platform/v1/policy/check${toQueryString(query)}`,
463
+ });
464
+ },
465
+
466
+ /**
467
+ * List accessible topics for a principal.
468
+ */
469
+ async listAccessibleTopics(
470
+ query: GatewayScope & {
471
+ permission?: PermissionKind;
472
+ includeShared?: boolean;
473
+ principal?: string;
474
+ principalId?: string;
475
+ limit?: number;
476
+ } = {}
477
+ ) {
478
+ const permission = query.permission ?? "read";
479
+ const principal = query.principal ?? query.principalId;
480
+ const response = await gateway.request<{
481
+ permission?: PermissionKind;
482
+ topics?: unknown[];
483
+ total?: number;
484
+ deniedTopics?: Array<{
485
+ topicId: string;
486
+ reasonCode: string;
487
+ }>;
488
+ }>({
489
+ path: `/api/platform/v1/policy/topics${toQueryString({
490
+ tenantId: query.tenantId,
491
+ workspaceId: query.workspaceId,
492
+ permission,
493
+ includeShared: query.includeShared,
494
+ principal,
495
+ limit: query.limit,
496
+ })}`,
497
+ });
498
+
499
+ return {
500
+ ...response,
501
+ data: {
502
+ permission,
503
+ topics: asTopicArray(response.data?.topics),
504
+ total:
505
+ typeof response.data?.total === "number"
506
+ ? response.data.total
507
+ : asTopicArray(response.data?.topics).length,
508
+ deniedTopics: Array.isArray(response.data?.deniedTopics)
509
+ ? response.data.deniedTopics
510
+ : [],
511
+ } satisfies AccessibleTopicsResponse,
512
+ };
513
+ },
514
+
515
+ /**
516
+ * Filter topic identifiers by permission.
517
+ */
518
+ async filterByPermission(
519
+ input: GatewayScope & {
520
+ topicIds?: string[];
521
+ permission?: PermissionKind;
522
+ principal?: string;
523
+ principalId?: string;
524
+ }
525
+ ) {
526
+ const permission = input.permission ?? "read";
527
+ const principal = input.principal ?? input.principalId;
528
+ const uniqueTopicIds = [...new Set(input.topicIds ?? [])].filter(
529
+ (topicId) => typeof topicId === "string" && topicId.trim().length > 0
530
+ );
531
+ const response = await gateway.request<{
532
+ permission?: PermissionKind;
533
+ allowedTopicIds?: string[];
534
+ deniedTopics?: Array<{
535
+ topicId: string;
536
+ reasonCode: string;
537
+ }>;
538
+ count?: number;
539
+ }>({
540
+ path: "/api/platform/v1/policy/filter",
541
+ method: "POST",
542
+ body: {
543
+ tenantId: input.tenantId,
544
+ workspaceId: input.workspaceId,
545
+ topicIds: uniqueTopicIds,
546
+ permission,
547
+ principal,
548
+ },
549
+ });
550
+
551
+ const allowedTopicIds = Array.isArray(response.data?.allowedTopicIds)
552
+ ? response.data.allowedTopicIds
553
+ : [];
554
+ const deniedTopics = Array.isArray(response.data?.deniedTopics)
555
+ ? response.data.deniedTopics
556
+ : [];
557
+
558
+ return {
559
+ success: true,
560
+ data: {
561
+ permission,
562
+ allowedTopicIds,
563
+ deniedTopics,
564
+ count:
565
+ typeof response.data?.count === "number"
566
+ ? response.data.count
567
+ : allowedTopicIds.length,
568
+ } satisfies FilterByPermissionResponse,
569
+ };
570
+ },
571
+ };
572
+ }
@@ -0,0 +1,51 @@
1
+ import { ConvexHttpClient } from "convex/browser";
2
+ import type { ConvexReactClientOptions as LucernConvexReactClientOptions } from "convex/react";
3
+ import {
4
+ ConvexReactClient,
5
+ useAction,
6
+ useConvex,
7
+ useMutation,
8
+ useQuery,
9
+ } from "convex/react";
10
+
11
+ /**
12
+ * Re-export the server-safe ref surface so existing client consumers keep a
13
+ * single import site. Server code must import from `@lucern/sdk/realtime/refs`
14
+ * instead, because this module statically pulls in `convex/react` which is
15
+ * incompatible with the Next.js Edge runtime React shim.
16
+ */
17
+ export { subscriptionRefs, platformApi, type AnyApi } from "./refs";
18
+
19
+ /**
20
+ * Opt-in realtime hook surface. These preserve native Convex semantics while
21
+ * moving the transport boundary behind an SDK subpath export.
22
+ */
23
+ export const useLucernSubscription: typeof useQuery = useQuery;
24
+ export const useLucernMutation: typeof useMutation = useMutation;
25
+ export const useLucernAction: typeof useAction = useAction;
26
+ export const useLucernRealtimeClient: typeof useConvex = useConvex;
27
+
28
+ export type LucernRealtimeClient = ConvexReactClient;
29
+ export type LucernHttpClient = ConvexHttpClient;
30
+
31
+ /**
32
+ * Construct the Convex realtime client that host apps wire into their provider
33
+ * tree. Keeping this here lets HTTP-only consumers avoid importing the
34
+ * realtime surface altogether.
35
+ */
36
+ export function createLucernRealtimeClient(
37
+ address: string,
38
+ options?: LucernConvexReactClientOptions
39
+ ): LucernRealtimeClient {
40
+ return new ConvexReactClient(address, options);
41
+ }
42
+
43
+ /**
44
+ * Construct the HTTP-only Convex client behind the SDK boundary so app code
45
+ * does not import `convex/browser` directly.
46
+ */
47
+ export function createLucernHttpClient(address: string): LucernHttpClient {
48
+ return new ConvexHttpClient(address);
49
+ }
50
+
51
+ export type { LucernConvexReactClientOptions };
@@ -0,0 +1,17 @@
1
+ import { type AnyApi, anyApi } from "convex/server";
2
+
3
+ /**
4
+ * Server-safe realtime ref surface.
5
+ *
6
+ * Keep this module free of any import that transitively pulls `convex/react`
7
+ * or `convex/browser`. Edge-runtime routes and server adapters import from
8
+ * `@lucern/sdk/realtime/refs` so Next.js never bundles the Convex React client
9
+ * (which imports React hooks that are not available in the Edge runtime shim).
10
+ *
11
+ * Client consumers should continue importing from `@lucern/sdk/realtime`.
12
+ */
13
+ export const subscriptionRefs: AnyApi = anyApi;
14
+
15
+ export const platformApi = subscriptionRefs;
16
+
17
+ export type { AnyApi };